China SSL authority revoked by browsers

The view on privacy and security in China’s technology space has lots of room for improvement compared to the development of similar institutions in the past decade or more. As outlined in my post “SSL Usage in China,” some institutions and businesses have been slow to adopt global industry security protocols to ensure safety on the Chinese Internet.

The most recent blow to the Chinese web security space was the distrusting of WoSign’s SSL certificate authority from Mozilla, Google and Apple after a recent incident involving their free certificate system. Earlier this year it was discovered that the Shenzhen-based certificate authority (CA) knowingly issued certificates to unverified domains (including a root certificate for Github.com) and did not immediately revoke the certificates after the discovery from the infosec community. This, combined with an opaque and “misleading” acquisition of StartCom (another CA) forced major Western browsers to begin distrusting SSL from these sites.

This incident is a big deal, especially as WoSign claims to issue a third of all certificates for Chinese websites. With that being said, many major Chinese websites like Baidu and Sina Weibo use certificates issued by Symantec, a leader in its its field.

Incidents like this show an obvious division between the China Internet and the rest of technology community. With the Great Firewall essentially cordoning off the Chinese Internet from systems and practices of the greater web, we may be seeing the of beginning a sort of schism in the priorities of Chinese tech products compared to the greater Web.

Dmitry Medvedev speaking at the World Internet Conference in Wuzhen, China. Courtesy http://government.ru

The established security protocols outside the GFW are not being adopted within China and are creating greater balkanization of the Internet as a whole. While the Chinese government is trying to secure the Chinese web to greater degrees in light of revelations from Edward Snowden and its recently passed cybersecurity law, users and institutions may not be demanding adherence to global protocols seen as so closely aligned to the Western Internet status quo. This, coupled with a clearer definition of “Internet Sovereignty” could mean more incidents similar to those with WoSign.

There is a chance this isn’t part of some greater strategy to partition the web, but rather due to the immaturity of the Chinese technology sector itself, which would rather focus on growth in other fields than these kinds of issues. There is also a chance the “chabuduo” culture has let some companies cut corners for the sake of delivering a product as quickly as possible.

Nonetheless, much of the issues created by this incident have already begun to affect the organization structure of WoSign and StartCom as recently reported by The Register. With that being said, how this incident will affect the long-term standards of Chinese Internet companies remains to be seen.

Related

About The Author

John P. Gamboa

John is a Technical Success Manager at WP Engine. Before moving to Austin, John lived in South Korea and China for the better part of four years. His life as an amateur Chinese web censorship expert, traveler, map nerd and beer geek can be found on this site.